Presentation: Designing Secure Architectures Modern Way

Track: Trust, Safety & Security

Location: Pacific DEKJ

Duration: 4:10pm - 5:00pm

Day of week: Wednesday

Share this on:

Abstract

This talk aims to attack two typical conflicts many security architects are well familiar with:

1. Most of the design thinking for preventing security incidents is focused on avoiding known risks in a known way. However, most of the time this approach leads to cost-efficient systems that are prone to unexpected security/reliability failures that are harder to mitigate. 
2. Most of risk treatment choices for security risks focus on "this stack is able to do <security_control> in a certain way and no other way around, so we better build around that": the capabilities within each technological stack to cope with risks it's facing is limited by pre-defined feature set.

Real world, unfortunately, shows that both of these constraints are driven by the same causes and provide the same outcomes: a short-term feeling of safety ("we turned SSL on so it's definitely going to be fine") and job-well-done until someone breaks your systems in an unexpected to you, but obvious to them, way. 

The solution? It's the security utility and combination of controls around sensitive assets that matters, not just the checkboxes available. And assessing these assets, understanding their lifecycle first, then consciously designing defenses around this lifecycle leads to cost-efficient solutions that don't break the technological stack. 

This talk came out of speaker's experiences of implementing sophisticated defenses in constrained environments - ranging from protecting huge power grid SCADA telemetry to improving end-to-end encryption in small mobile applications in tricky use-cases - and how just changing the point of attention in initial stages of security efforts saved money, enabled systems to be more resilient to real risks... without re-engineering most of the stack.

Speaker: Eugene Pilyankevich

CTO @cossacklabs, Building Applied Cryptographic / Data Security Tooling

Qcon

Eugene is CTO at Cossack Labs, a data security engineering company, where his job includes almost everything (as you can imagine a CTO of a small company does): defining product strategy, designing internal products and customer solutions, driving R&D efforts, ensuring the steady cycle of forming–storming–norming–performing of core engineering team. Eugene started as a software developer and ISP infrastructure engineer nearly two decades ago. Being always keen to chase causes for failures he had to deal with daily led to a chain of positions - through security engineer and software/security architect to CTO in telco, banking, and computer security industries. A life-long interest in understanding risk, human behavior, and decisionmaking under uncertain conditions made Eugene look into causes of resiliency and security problems where they actually begin: in human brains. 

Find Eugene Pilyankevich at

Tracks

Monday, 11 November

Tuesday, 12 November

Wednesday, 13 November